Operational Resilience Audit

Posts about:

Operational Resilience (7)

Summary of Guidelines on Business Continuity Management issued by the Monetary Authority of Singapore
Operational Resilience, Monetary Authority of Singapore

Summary of Guidelines on Business Continuity Management Guidelines issued by the Monetary Authority of Singapore

Key Focus Areas for Guidelines on Business Continuity Management by the Monetary Authority of Singapore

The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services. 

Objective

BCM RR MAS Regulatory Requirement Monetary Authority of SingaporeThis blog aims to provide an overview of the key aspects of the MAS Guidelines on BCM, with a specific focus on the ten areas mentioned in the guidelines.  Refer to the guideline by clicking on the MAS's webpage.

The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.

Application of MAS Guidelines

The first section of the MAS Guidelines on BCM emphasised the application to all financial institutions MAS regulates in Singapore. This includes banks, insurers, and capital market intermediaries.

The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.

OR Operational Resilience Regulatory RequirementCompliance with these guidelines is mandatory, and institutions are expected to maintain a state of readiness to respond to and recover from disruptions.

OR Versus BCM Full wordNotes on OR Vs BCM: These are the related regulatory requirements or guidelines (Click the "Regulatory Requirement" icon on the right) issued by the other central banks worldwide.  These regulations will be under your purview if you have global or regional responsibilities. 

Critical Business Services and Functions

OR Critical Business Services BCMPediaFinancial institutions must identify and prioritise their critical business services (CBS) and critical business functions (CBF) essential for maintaining financial stability and providing uninterrupted services to customers.

Do note that there is a difference between CBS and CBF.  Click the button below to find out more.

The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.

Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.

OR Versus BCM Full wordNotes on OR Vs BCM: These are similar terminology used by regulators from other jurisdictions.  It is also helpful to understand Critical Business Services is issued by MAS.  Critical Operations is from the US FED and Hong Kong Monetary Authority.  Below are some of the similar definitions published by the other regulators. 

OR Critical Operations

 New call-to-action OR Critical Business Services BCMPedia Critical Business Functions vs Critical Business Services

Service Recovery Time Objective (SRTO)


OR Service Recovery Time Objective BCMPedia The Service Recovery Time Objective (SRTO) refers to the timeframe within which critical business services and functions should be recovered following a disruption.

The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.

Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.

The RTOs should be regularly reviewed and tested to ensure their effectiveness.

OR Versus BCM Full word

 

 Notes on OR Vs BCM: These are similar terminology used by regulators from other jurisdictions.  It is also helpful to understand the difference between SRTO issued by MAS and the actual RTO from the BCM practices with the Impact Tolerance spelt out by the other regulators.  Below are some of the similar definitions. OR Impact Tolerance vs Recovery Time Objective

Dependency Mapping

OR Mapping Interconnections and Interdependencies BCMPediaDependency mapping is a crucial aspect of BCM that involves identifying and understanding the interdependencies between various systems, processes, and external parties.

Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.

The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.

Concentration Risk

Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.

The MAS Guidelines on BCM stress the importance of identifying and mitigating concentration risk as a critical component of business continuity planning.

Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.

By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.

The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.

Continuous Review and Improvement

The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.

BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.

Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.

The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.

OR Versus BCM Full wordOR Lesson Learnt BCMPediaNotes on OR Vs BCM: The word "continuous improvement" is published as part of the standard in most published regulations.  The key is to learn from lessons from past incidents and deficiencies identified as part of testing and exercising.

Testing

Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.

The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.

Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.

Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.

The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.

OR Versus BCM Full wordNotes on OR Vs BCM: Testing of end-to-end based on the scenario is called Scenario Testing.  It is helpful to review the difference between operational resilience and BC testing.

Related Topics New call-to-action New call-to-action  

Audit

The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.

Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.

These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.

Incident and Crisis Management

Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.

OR Crisis Management BCMPediaThe MAS Guidelines on BCM emphasise the need for financial institutions to establish robust incident and crisis management frameworks. This includes defining roles and responsibilities, establishing communication protocols, and implementing escalation procedures.

Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance the readiness and capability of staff to respond to incidents and crises promptly and effectively.

Responsibilities of Board and Senior Management

The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.

Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.

The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.

They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.

Regular reporting on BCM performance, including key metrics and progress against action plans, should be provided to the board and senior management.

OR Versus BCM Full word

Notes on OR Vs BCM: The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.

To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

Conclusion

The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.

By adhering to these guidelines, financial institutions can enhance their resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services. 

 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300 If you have any questions, click to contact us.Email to Sales Team [BCM Institute]
FAQ BL-OR-5 OR-5000

 

Moh Heng Goh
Moh Heng Goh
Read More
ORA [Plan] Questionnaires: Develop Strategy Roadmap
audit, Operational Resilience

ORA [Plan] Questionnaires: Develop Strategy Roadmap

New call-to-action

Develop Strategy Roadmap

OR_Plan_Update Diagram

 
What is Strategy Roadmap?

A strategy roadmap is a bridge between strategy and execution. It visualizes the critical outcomes of the operational resilience effort that must be delivered over a particular time horizon to achieve the organisation’s strategic vision.

The outcomes on the strategy roadmap are substantiated by a clear understanding of the organisation’s capabilities; gaps and priorities must be addressed.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Develop Strategy Roadmap.

Audit Checklist for Develop Strategy Roadmap

 

1. Governance and Leadership
  • Is there a clear governance structure in place for the operational resilience program?
  • Are roles and responsibilities for program leadership clearly defined?
  • Is there senior management oversight and involvement in the program?
  • Are there mechanisms to escalate and resolve issues related to operational resilience?
Checklist
  • Establish a clear governance structure with defined roles and responsibilities for operational resilience.
  • Ensure senior management oversight and involvement in the program.
  • Develop policies and procedures to support effective governance and decision-making.
  • Define mechanisms for escalation and resolution of operational resilience issues.

2. Risk Assessment and Identification
  • Has a comprehensive risk assessment been conducted to identify potential operational risks?
  • Are all critical business processes and dependencies identified?
  • Have risk thresholds and impact tolerances been established?
  • Is there a process to regularly update and reassess risks and dependencies?
Checklist
  • Develop a standardized risk assessment methodology for identifying and evaluating operational risks.
  • Ensure all critical business processes, systems, and dependencies are identified.
  • Establish risk thresholds and impact tolerances to prioritize risks. d. Implement a process for regular risk monitoring and reassessment.

3. Business Impact Analysis
  • Has a business impact analysis been performed to assess the potential consequences of operational disruptions?
  • Are critical functions and processes prioritized based on their impact on the organization?
  • Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
  • Has the impact of interdependencies between processes been considered?
Checklist
  • Conduct a comprehensive business impact analysis to assess the potential consequences of operational disruptions.
  • Prioritize critical functions and processes based on their impact on the organization.
  • Define recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
  • Analyze interdependencies between processes to identify potential ripple effects.

4. Strategy Development
  • Has a strategy roadmap been developed to implement the operational resilience program?
  • Are there explicit goals and objectives for the program?
  • Is the strategy aligned with the organization's overall risk management and business continuity plans?
  • Are resource requirements and budget considerations identified in the strategy?
Checklist
  • Define the vision, goals, and objectives of the operational resilience program.
  • Align the strategy with the organization's overall risk management and business continuity plans.
  • Identify resource requirements, including budget, personnel, and technology.
  • Develop a roadmap with clear milestones and timelines for implementation.

5. Incident Response and Recovery
  • Is there an incident response plan for different types of operational disruptions?
  • b. Are roles and responsibilities clearly defined in the incident response plan?
  • c. Has the plan been tested and updated regularly?
  • Is there a process for learning from incidents and improving the operational resilience program?
Checklist
  • Establish an incident response plan that outlines procedures for responding to and recovering from operational disruptions.
  • Define roles and responsibilities for incident management, including incident response teams.
  • Regularly test and update the incident response plan to ensure its effectiveness.
  • Establish mechanisms for learning from incidents and incorporating improvements into the operational resilience program.

6. Communication and Coordination
  •  Is there a communication plan to ensure effective communication during operational disruptions?
  • Are stakeholders identified and informed about the operational resilience program?
  • Is there coordination with external partners, vendors, and regulators during incidents?
  • Are there mechanisms to provide timely updates to stakeholders and manage their expectations?
Checklist
  • Define the vision and objectives of the operational resilience program.
  • Conduct a thorough assessment of the current state of operational resilience.
  • Identify key stakeholders and establish communication channels.
  • Develop a governance structure with clear roles and responsibilities.
  • Define risk assessment methodologies and criteria.
  • Perform a comprehensive risk assessment and document the findings.
  • Conduct a business impact analysis to prioritize critical functions and processes.
  • Develop recovery strategies and plans for critical processes.
  • Identify resource requirements and budget considerations.
  • Establish performance metrics and key performance indicators (KPIs) for measuring progress.
  • Develop an incident response plan with clear escalation procedures.
  • Test and validate the incident response plan through simulations and drills.
  • Develop a communication plan for internal and external stakeholders.
  • Establish mechanisms for ongoing monitoring and reporting of operational resilience.
  • Regularly review and update the strategy roadmap to incorporate lessons learned and evolving risks.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance
New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More
ORA [Plan] Questionnaires: Confirm Risk Appetite
audit, Operational Resilience

ORA [Plan] Questionnaires: Confirm Risk Appetite

New call-to-action

Confirm Risk Appetite

OR_Plan_Update Diagram

 
What is Risk Appetite?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  The scope is further enlarged when viewed from an operational resilience perspective.

It reflects the organization’s risk management philosophy and influences its culture and operating style.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Plan phase: Confirm Risk Appetite.

Audit Checklist to Confirm Risk Appetite

 

1. Risk Appetite Framework
  • Is there a documented risk appetite framework in place?
  • Have senior management, and the board approved the risk appetite framework?
  • Does the risk appetite framework align with the organization's objectives and strategy?
  • Is the risk appetite framework effectively communicated throughout the organization?
  • Are risk appetite statements measurable and specific, allowing for meaningful risk assessments?
  • Are risk appetite limits clearly defined for different types of operational risks?
  • Are risk appetite limits regularly reviewed and updated to reflect changes in the business environment?
  • Is there a mechanism to monitor and report on adherence to risk appetite limits?

Checklist
  • Review the documented risk appetite framework and ensure it is easily accessible to relevant stakeholders.
  • Verify that senior management and the board have approved the risk appetite framework.
  • Evaluate the alignment of the risk appetite framework with the organization's overall objectives and strategy.
  • Assess the effectiveness of communication channels that convey the risk appetite framework to employees.
  • Review risk appetite statements, assess whether they are measurable and specific, and facilitate meaningful risk assessments.
  • Evaluate the clarity and specificity of risk appetite limits set for different types of operational risks.
  • Confirm that risk appetite limits are regularly reviewed and updated to reflect changes in the business environment.
  • Assess the availability of mechanisms to monitor and report on adherence to risk appetite limits.

2. Risk Identification and Assessment
  • Has the organization conducted a comprehensive identification of operational risks?
  • Are risk assessments conducted regularly to identify new and emerging risks?
  • Are risk assessments based on a combination of qualitative and quantitative factors?
  • Are risk assessments conducted consistently across all relevant business areas?
  • Are risk assessments aligned with the organization's risk appetite framework?
  • Are potential impacts on critical business processes and systems considered in risk assessments?
  • Is there a process to validate and review risk assessments conducted by different business units?
  • Do appropriate data and evidence support risk assessments?
Checklist
  • Evaluate the comprehensiveness of the organization's risk identification process.
  • Review documented risk assessments and evaluate if they cover various operational risks.
  • Assess the frequency of risk assessments to determine if they are conducted regularly and reflect current risks.
  • Verify that risk assessments consider both qualitative and quantitative factors in evaluating risks.
  • Review risk assessment processes across different business areas for consistency and standardization.
  • Confirm that risk assessments are aligned with the organization's risk appetite framework.
  • Evaluate if risk assessments consider potential impacts on critical business processes and systems.
  • Assess the process for validating and reviewing risk assessments conducted by different business units.

3. Risk Tolerance and Risk Mitigation:
  • Has the organization established risk tolerance levels for different operational risks?
  • Are risk tolerance levels consistent with the risk appetite framework?
  • Are risk tolerance levels clearly defined and communicated to relevant stakeholders?
  • Is there a process to monitor and measure risks against established tolerance levels regularly?
  • Are risk mitigation strategies in place for risks exceeding the risk tolerance levels?
  • Are risk mitigation strategies aligned with the organization's risk appetite and overall strategy?
  • Are risk mitigation actions prioritized based on their potential impact on operational resilience?
  • Is there a mechanism to monitor and evaluate the effectiveness of risk mitigation measures?
Checklist
  • Verify the establishment of risk tolerance levels for different operational risks.
  • Assess the consistency of risk tolerance levels with the risk appetite framework.
  • Review the clarity and effectiveness of communication regarding risk tolerance levels to relevant stakeholders.
  • Evaluate the monitoring and measurement mechanisms to track risks against established tolerance levels.
  • Assess the effectiveness of risk mitigation strategies for risks exceeding the risk tolerance levels.
  • Confirm the alignment of risk mitigation strategies with the organization's risk appetite and overall strategy.
  • Assess the prioritization process for risk mitigation actions based on the potential impact on operational resilience.
  • Evaluate the availability of mechanisms to monitor and evaluate the effectiveness of risk mitigation measures.

4. Incident Management and Response
  • Does the organization have a documented incident management plan in place?
  • Is the plan regularly reviewed and updated to reflect changes in the business environment?
  • Are roles and responsibilities clearly defined for incident response teams?
  • Are there defined escalation procedures for different types of incidents?
  • Is there a process for identifying, assessing, and prioritizing incidents based on their potential impact?
  • Does the organization have a communication plan for notifying stakeholders about incidents?
  • Are there established metrics and thresholds for measuring the effectiveness of incident response activities?
  • Has the organization conducted post-incident reviews to identify areas for improvement?
  • Are incident response procedures aligned with the organization's risk appetite?
Checklist
  • Review the documented incident management plan and assess its alignment with the organization's risk appetite.
  • Evaluate whether the plan includes clear roles and responsibilities for incident response teams.
  • Assess the defined escalation procedures for different incidents and their alignment with risk appetite.
  • Verify the presence of a process for identifying, assessing, and prioritizing incidents based on potential impact and risk appetite.
  • Examine the communication plan for notifying stakeholders about incidents and assess its effectiveness in aligning with risk appetite.
  • Check if there are established metrics and thresholds for measuring the effectiveness of incident response activities and their alignment with risk appetite.
  • Evaluate whether the organization conducts post-incident reviews to identify areas for improvement and ensure they align with risk appetite.
  • Assess the alignment of incident response procedures with the organization's risk appetite.

5. Business Continuity Planning
  • Has the organization conducted a business impact analysis to identify critical business functions and their dependencies?
  • Are there documented business continuity plans in place for critical functions?
  • Have the plans been tested and validated to ensure their effectiveness?
  • Are there defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions?
  • e. Is there a process for regularly reviewing and updating the business continuity plans?
  • Are employees aware of their roles and responsibilities during business disruption?
  • Has the organization identified alternative work locations or facilities in case of a site failure?
  • Are there established communication channels and procedures for coordinating the execution of business continuity plans?
  • Are business continuity plans aligned with the organization's risk appetite?
Checklist
  • Review the business impact analysis to identify critical business functions and their dependencies.
  • Assess the presence and effectiveness of documented business continuity plans for critical functions.
  • Verify if the plans have been tested and validated to ensure their effectiveness aligns with risk appetite.
  • Evaluate the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions and their alignment with risk appetite.
  • Assess the process for regularly reviewing and updating the business continuity plans to ensure they align with risk appetite.
  • Evaluate the awareness among employees regarding their roles and responsibilities in the event of business disruption and their alignment with risk appetite.
  • Verify the identification of alternative work locations or facilities in case of site failure and their alignment with risk appetite.
  • Assess the communication channels and procedures for coordinating the execution of business continuity plans and their alignment with risk appetite.
  • Evaluate the alignment of business continuity plans with the organization's risk appetite.

5. Testing and Exercising
  • Has the organization conducted regular testing and exercising of its operational resilience plans?
  • Are different scenarios and incidents considered during testing, including worst-case scenarios?
  • Is there a process for capturing and documenting lessons learned from testing exercises?
  • Are test results and findings communicated to relevant stakeholders for review and remediation?
  • Are there established criteria for evaluating the effectiveness of testing exercises?
  • Based on testing results, has the organization addressed any identified deficiencies or gaps in the operational resilience plans?
  • Are testing and exercising activities aligned with the organization's risk appetite?
Checklist
  • Assess whether the organization conducts regular testing and exercising its operational resilience plans.
  • Evaluate if different scenarios and incidents, including worst-case scenarios, are considered during testing in alignment with risk appetite.
  • Verify the presence of a process for capturing and documenting lessons learned from testing exercises and their alignment with risk appetite.
  • Assess the communication of test results and findings to relevant stakeholders for review and remediation, aligning with risk appetite.
  • Verify the existence of established criteria for evaluating the effectiveness of testing exercises and their alignment with risk appetite.
  • Evaluate if the organization addresses identified deficiencies or gaps in operational resilience plans based on testing results and risk appetite.
  • Assess the alignment of testing and exercising activities with the organization's risk appetite.

6. Governance and Oversight
  • Does the organization have a designated governance body responsible for overseeing operational resilience?
  • Are governance responsibilities and decision-making authorities clearly defined?
  • Does governance regularly assess the organization's operational resilience strategy and plans?
  • Is there a process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs)?
  • Are there mechanisms to ensure compliance with applicable laws, regulations, and industry standards?
  • Does the organization have a risk appetite statement that includes operational resilience?
  • Are risk appetite thresholds and tolerances clearly defined for operational resilience? h
  • Is there a process for regularly reviewing and updating the risk appetite statement?
  • Are governance and oversight activities aligned with the organization's risk appetite?
Checklist
  • Assess the presence of a designated governance body responsible for overseeing operational resilience.
  • Evaluate if governance responsibilities and decision-making authorities are clearly defined and align with risk appetite.
  • Review the regular review and assessment process for the organization's operational resilience strategy and plans, aligning with risk appetite.
  • Assess the process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs) in alignment with risk appetite.
  • Verify the mechanisms to ensure compliance with applicable laws, regulations, and industry standards, aligning with risk appetite.
  • Evaluate the presence and alignment of a risk appetite statement that includes operational resilience.
  • Assess the clarity and regular review process of risk appetite thresholds and tolerances for operational resilience.
  • Evaluate the overall alignment of governance and oversight activities with the organization's risk appetite.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance
New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More
ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments
audit, Operational Resilience

ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

New call-to-action

Provide Self-assessments

New call-to-action
What is Self-assessment?

Self-Assessment in Operational Resilience ensures that the regulated organisation captures and documents the steps taken towards operational resilience and provides a comprehensive and objective evaluation of the organisation's strategy and overall ability to respond to disruptions.

New call-to-actionOR Sustain Phase Questionnaires: Provide Self-assessmentsThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Sustain phase: Provide Self-assessment.

 

Audit Checklist for Provide Self-assessments

 

1. Documentation and Policies
  • Are operational resilience policies and procedures well-documented and readily accessible?
  • Are the policies and procedures aligned with industry best practices and regulatory requirements?
  • Do the documented policies clearly define roles, responsibilities, and accountability for operational resilience?
  • Is there evidence of regular reviews and updates to the operational resilience documentation?
Checklist
  • Review the documentation of operational resilience policies and procedures.
  • Assess the alignment of policies with industry best practices and regulations.
  • Evaluate the clarity and completeness of roles, responsibilities, and accountability definitions.
  • Verify the existence of a process for regular reviews and updates to the documentation.

2. Risk Assessment and Analysis
  • Has a comprehensive risk assessment been conducted to identify and assess potential risks?
  • Are risks prioritized based on their potential impact and likelihood?
  • Are mitigation strategies and controls in place to address identified risks?
  • Is there a process for regularly monitoring and updating risk assessments?
Checklist
  • Evaluate the documentation of the risk assessment process.
  • Assess the comprehensiveness of the risk assessment, including identification and assessment of risks.
  • Verify the prioritization of risks based on impact and likelihood.
  • Review the documented mitigation strategies and controls.
  • Determine if there is a process for regularly monitoring and updating risk assessments

3. Business Impact Analysis (BIA)
  • OR Implement Phase Questionnaires: Identify Critical Business ServicesHas a thorough business impact analysis (BIA) been conducted to identify critical processes and systems?
  • Have the potential impacts of disruptions to critical processes and systems been assessed?
  • Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
  • Are mitigation strategies and plans in place to ensure the timely recovery of critical processes?
Checklist
  • Review the business impact analysis (BIA) process documentation.
  • Evaluate the completeness and accuracy of the identification of critical processes and systems.
  • Assess the thoroughness of the assessment of potential impacts.
  • Verify the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
  • Review the mitigation strategies and plans to ensure timely recovery.

4. Training and Awareness
  • OR [Sustain] Questionnaires: Implement Training and AwarenessIs there a training program in place to educate employees on operational resilience?
  • Are employees aware of their roles and responsibilities regarding operational resilience?
  • Are there mechanisms to track and monitor employee completion of operational resilience training?
  • Are there regular communication and awareness campaigns to promote a culture of operational resilience?
Checklist
  • Review the training program documentation for operational resilience.
  • Evaluate the effectiveness of the training in educating employees.
  • Assess the mechanisms in place to track and monitor employee completion of training.
  • Verify the existence of regular communication and awareness campaigns.
  • Determine the extent of the culture of operational resilience within the organization.

5. Testing and Exercise Evaluation
  • Conduct Scenario TestingHave operational resilience plans and procedures been tested through exercises and simulations?
  • Is there a documented schedule for testing and exercising operational resilience capabilities?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
Checklist
  • Review the operational resilience testing and exercise plan documentation. 
  • Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
  • Assess the testing results analysis to identify improvement areas.
  • Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

5. Incident Response Evaluation
  • Is there an incident response plan for operational resilience incidents?
  • Has the incident response plan been tested and validated?
  • Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
  • Is there a designated incident response team and a straightforward escalation process?
  • Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?
Checklist
  • Review the incident response plan documentation for operational resilience incidents.
  • Evaluate the testing and validation activities conducted on the incident response plan.
  • Assess the clarity and accuracy of roles, responsibilities, and communication channels.
  • Verify the incident response team's existence and composition and escalation process.
  • Determine if there is a process for post-incident analysis and continuous improvement.

5. Continuous Improvement
  • New call-to-actionIs there a process in place to monitor and review the effectiveness of the operational resilience program?
  • Are lessons learned from incidents, tests, and exercises incorporated into improvements?
  • Is there a mechanism to capture and address feedback and suggestions for operational resilience?
  • Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
  • Is there a culture of continuous improvement and learning within the organization?
Checklist
  • Evaluate the process for monitoring and reviewing the effectiveness of the operational resilience program.
  • Assess the incorporation of lessons learned from incidents, tests, and exercises into improvements.
  • Verify the existence of a mechanism to capture and address feedback and suggestions.
  • Review the metrics and performance indicators for measuring program effectiveness.
  • Determine the extent of the organization's continuous improvement and learning culture.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

 Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review
New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires: Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Moh Heng Goh
Moh Heng Goh
Read More
ORA [Plan] Questionnaires: Analyse Gap
audit, Operational Resilience

ORA [Plan] Questionnaires: Analyse Gap

New call-to-action

Analyse the Gap 

 

OR_Plan_Update Diagram

 
What is Gap Analysis in OR?

A gap analysis is a method of assessing the performance of a business unit to determine whether operational resilience requirements or objectives are being met and, if not, what steps should be taken to meet them.

A gap analysis is called a needs analysis, needs assessment or need-gap analysis.

New call-to-actionOR Plan Phase Questionnaires: Analyse GapThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Analyse Gap.

Audit Checklist for Analysing the Gap

 

1. Gap Analysis Process
  • Has a structured process been defined for conducting the gap analysis?
  • Are the objectives and scope of the gap analysis clearly defined?
  • Is there a designated team responsible for conducting the gap analysis?
  • Are the necessary resources allocated for conducting a thorough analysis?
  • Has a timeline or schedule been established for completing the gap analysis?

ChecklistGap Analysis Process
  • Review the documented process for conducting the gap analysis.
  • Evaluate the clarity and comprehensiveness of the defined objectives and scope.
  • Assess the qualifications and expertise of the team responsible for the analysis.
  • Verify that sufficient resources, such as personnel and technology, are available for the analysis.
  • Confirm the existence of a timeline or schedule for completing the gap analysis.

2. Identification of Current State
  • Has the current state of the operational resilience program been accurately assessed?
  • Are the program's key components, processes, and controls identified and documented?
  • Has the maturity level of each component been evaluated?
  • Are there any gaps or deficiencies identified in the current state?
  • Have relevant stakeholders been involved in the identification process?

Checklist: Identification of Current State
  • Verify the accuracy and comprehensiveness of the assessment of the current state of the operational resilience program.
  • Evaluate the documentation of key components, processes, and controls.
  • Assess the methodology used for evaluating the maturity level of each component.
  • Identify and document any identified gaps or deficiencies in the current state.
  • Confirm the involvement of relevant stakeholders in the identification process.

3. Desired Future State
  • Has a desired future state for the operational resilience program been defined?
  • Are there specific objectives and targets for each component of the program?
  • Is the desired future state aligned with regulatory requirements and industry best practices?
  • Are the resources and capabilities required for achieving the desired future state identified?
  • Has a roadmap or action plan been developed to bridge the gap between the current and desired future state?

Checklist: Desired Future State
  • Review the documentation of the desired future state for the operational resilience program.
  • Evaluate the clarity and specificity of the defined objectives and targets.
  • Verify the alignment of the desired future state with regulatory requirements and industry best practices.
  • Assess the identification of resources and capabilities needed to achieve the desired future state.
  • Confirm the existence of a roadmap or action plan for bridging the gap between the current state and the desired future state.

4. Risk Assessment and Prioritization
  • Has a risk assessment been conducted to identify the risks of closing the gap?
  • Are the identified risks prioritized based on their potential impact and likelihood?
  • Has a mitigation strategy been developed for each identified risk?
  • Are the resources and efforts allocated appropriately based on risk prioritization?
  • Have appropriate stakeholders reviewed and approved the risk assessment and prioritization?

Checklist: Risk Assessment and Prioritisation

  • Verify the completion of a risk assessment specifically focused on the gap analysis process.

  • Evaluate the methodology used for prioritizing the identified risks.
  • Assess the effectiveness and feasibility of the mitigation strategies developed for each risk.
  • Review the allocation of resources and efforts based on =risk prioritization.
  • Confirm the review and approval of the risk assessment and prioritization by appropriate stakeholders.

5. Business Impact Analysis
  • Has a comprehensive BIA been conducted to identify critical business processes, dependencies, and their impact on the organization?
  • Are each critical process clearly defined recovery time objectives (RTOs) and recovery point objectives (RPOs)?
  • Has the BIA identified and assessed the potential financial, operational, reputational, and regulatory impacts of disruptions to critical processes?
  • Are there documented strategies and plans to mitigate the identified risks and ensure timely recovery?
     

Checklist: Business Impact Analysis

  • Review the documentation of the BIA process, including its objectives and scope.

  • Evaluate the accuracy and completeness of critical process identification and dependency mapping.
  • Assess the identification and documentation of RTOs and RPOs for each critical process.
  • Verify including financial, operational, reputational, and regulatory impact assessments in the BIA.
  • Review the mitigation strategies and recovery plans developed based on the BIA findings.

6. Risk Assessment
  • Has a risk assessment been conducted to identify and evaluate potential threats and vulnerabilities to the operational resilience program?
  • Are there documented processes to identify, assess, and prioritize risks?
  • Has the likelihood and potential impact of identified risks been analyzed?
  • Are risk mitigation strategies and controls in place to address identified risks?
  • Is there a process for regularly reviewing and updating the risk assessment?
 
 

Checklist: Risk Assessment
  • Verify the completion of a risk assessment specifically focused on the operational resilience program.
  • Evaluate the adequacy and effectiveness of the risk identification and assessment processes.
  • Assess the accuracy and comprehensiveness of the risk likelihood and impact analysis.
  • Review the documented risk mitigation strategies and controls implemented to address identified risks.
  • Determine if a process is in place to review and update the risk assessment periodically.
 

7. Business Continuity Planning
  • Has a BCP framework been established to guide the development and implementation of business continuity plans?
  • Are there documented business continuity plans for critical processes and systems?
  • Have the plans been tested and validated through exercises and simulations?
  • Are roles, responsibilities, and communication channels clearly defined within the business continuity plans?
  • Is there a process to periodically review and update the business continuity plans?

Checklist: Business Continuity Planning
  • Review the documented BCP framework and its alignment with industry standards and best practices.
  • Evaluate the existence and adequacy of business continuity plans for critical processes and systems.
  • Assess the documentation of testing and validation activities conducted on the business continuity plans.
  • Verify the clarity and accuracy of the plans' roles, responsibilities, and communication channels.
  • Determine if a process is in place to review and update the business continuity plans periodically.

 

8. Incident Response/IT Disaster Recovery
  • Is there documented incident response and IT disaster recovery plans?
  • Have the plans been tested and validated through exercises and simulations?
  • Is there a designated incident response team and a clear escalation process?
  • Are there backup and recovery mechanisms in place for critical IT systems and data?
  • Is there a process for continuously monitoring and improving incident response and IT disaster recovery capabilities?

Checklist: Incident Response/IT Disaster Recovery
  • Verify the existence and adequacy of documented incident response and IT disaster recovery plans.
  • Evaluate the documentation of testing and validation activities conducted on the plans.
  • Assess the existence and composition of the incident response team and the clarity of the escalation process.
  • Review the backup and recovery mechanisms implemented for critical IT systems and data.
  • Determine if a process is in place for continuous monitoring and improvement of incident response and IT disaster recovery capabilities.

9. Vendor and Third-Party Management
  • Is there a comprehensive process in place to assess and manage the risks associated with vendors and third-party service providers
  • Are there documented criteria for selecting vendors and conducting due diligence?
  • Is there a mechanism to monitor and ensure the ongoing compliance of vendors with operational resilience requirements?
  • Are contingency plans and alternate arrangements in case of disruptions from vendors or third-party service providers?
  • Are there processes to periodically review and assess the effectiveness of vendor and third-party management practices?

Checklist: Vendor and Third-Party Management
  • Review the documented vendor and third-party management processes and procedures.
  • Evaluate the criteria used for vendor selection and due diligence.
  • Assess the effectiveness of ongoing monitoring and compliance management mechanisms.
  • Verify the existence of contingency plans and alternate arrangements for vendor disruptions.
  • Determine if periodic reviews and assessments of vendor and third-party management practices exist.

10. Training and Awareness
  • Is there a training program in place to educate employees about operational resilience policies, procedures, and best practices?
  • Are employees aware of their roles and responsibilities regarding operational resilience?
  • Are there regular communication and awareness campaigns to promote a culture of operational resilience?
  • Are training programs periodically updated to reflect changes in operational resilience requirements?
  • Is there a mechanism to track and monitor employee completion of required operational resilience training?

Checklist: Training and Awareness
  • Review the documentation of the training program for operational resilience.
  • Evaluate the effectiveness and comprehensiveness of the training materials and resources.
  • Assess the clarity and understanding of employee roles and responsibilities.
  • Verify the existence of regular communication and awareness campaigns.
  • Determine if a mechanism exists to track and monitor employee completion of operational resilience training.

11. Governance and Oversight
  • Is there a well-defined governance framework and structure for operational resilience?
  • Are individuals or teams responsible for operational resilience assigned clear roles, responsibilities, and accountabilities?
  • Is there a mechanism to ensure oversight and monitoring of operational resilience activities?
  • Are there regular reporting and escalation processes to senior management or the board of directors?
  • Are there mechanisms to review and update the governance framework and structure as needed?

Checklist: Governance and Oversight
  • Review the documented governance framework and structure for operational resilience.
  • Evaluate the clarity and effectiveness of assigned roles, responsibilities, and accountabilities.
  • Assess the mechanisms in place for oversight and monitoring of operational resilience activities.
  • Verify the existence of regular reporting and escalation processes to senior management or the board.
  • Determine if there are mechanisms to review and update the governance framework and structure.

12. Business Continuity and Resilience Testing
  • Are there documented plans and procedures for testing the effectiveness of business continuity and resilience measures?
  • Is there a schedule for conducting regular testing and exercises?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed and used to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?

 

Checklist: Business Continuity and Resilience Testing
  • Review the documented plans and procedures for business continuity and resilience testing.
  • Evaluate the adequacy of the testing schedule and the consideration of different scenarios.
  • Assess the analysis and use of testing results for improvement and corrective actions.
  • Verify the existence of mechanisms to track and follow up on the implementation of corrective actions.
  • Determine if there is a process to document lessons learned from testing and exercises.

 

13. Continuous Improvement
  • Is there a process to identify and address gaps and deficiencies in the operational resilience program?
  • Are there mechanisms to capture and document lessons learned from incidents, tests, and exercises?
  • Is there a feedback loop to ensure that identified improvements are implemented?
  • Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
  • Is there a culture of continuous improvement and learning within the organization?

 

Checklist: Continuous Improvement
  • Review the process for identifying and addressing gaps and deficiencies in the operational resilience program.
  • Evaluate the mechanisms to capture and document lessons learned from incidents, tests, and exercises.
  • Assess the feedback loop to ensure the implementation of identified improvements.
  • Verify the existence of metrics and performance indicators for measuring program effectiveness.
  • Determine if there is evidence of a culture of continuous improvement and learning within the organization.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

 

New call-to-action

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance
New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More